Cyber Risks Seminar:

Transcription

1 Gilbert Flepp Cyber Risks Manager, Chubb Eurasia & Africa Lagos October, 2017 Cyber Risks Seminar: Cyber Engineering Services October 2017

2 Lagos, October 2017 IT Risks assessment IT security controls Business challenges - Organisation, Policies, rules - Data protection & access controls - Systems security - Network security - Disaster recovery - Physical security - Industry sector - Threats & vulnerabilities - Figures : turnover, #employees - Criticality of the systems - Business impact - Types of records - Reputation & visibility the greater the impact, The stronger IT security controls should be: Evaluate the business challenges (what is at stake) Appreciate IT security controls with respect to business challenges 10/13/2017 2

3 June, 2016 Cyber Security Standards Information security guides and standards ISO-2700x : 11 domains of ISO NIST Cybersecurity framework (InfoSec processes: Identify, Protect, Detect, Respond, Recover) Valuable Guides and Resources (for businesses) UK government (CESG): 10 steps to cybersecurity FR government (ANSSI) : 40 essential measures for a healthy network & Cyber Hygiene Guide USA government (US-CERT) : cybersecurity framework Verizon DBIR 2016 : executive-summary_xg_en.pdf Verizon DB Digest 2016 :

4 June,

5 Gilbert Flepp Lagos, October 2017 IT Risk Assessment

6 IT Risks assessment (2) Low/Medium security requirements Mapping of IT systems End point security : standard configuration, antimalware suite, patch management Access controls : passwords management, role based, least privilege principle, account reviews Network security : firewalls, monitoring Disaster Recovery : redundancy, backups, recovery testing Physical security : Datacentre, data-rooms Audits High security requirements All the questions of the questionnaire YES Evaluate maturity of the processes : Information Security Management processes : identify, protect, detect, respond, recover Risk management processes : identification, assessment, treatment, regular reviews, continuous improvement APT security : detection tools, organisation (CERT), response plan 10/13/2017 Welcome to ACE in EMEA 6

7 Lagos October, 2017 The patch process leftovers Comparison of organization behavior Area Under the Curve (AUC): How protected you are while actively patching Knocking a majority of the findings out quickly will result in in a higher AUC Percentage Completed On Time (COT) COT is the amount of vulnerabilities patched at cut-off time (usually 12 weeks) Findings that aren t patched quickly tend to go unpatched for a long period if time. We call them the leftover 2017 Data Breach Investigation Report - Verizon

8 IT Risks assessment (3) Personal Data Security Personal Data Protection Policy Limited access to PD Awareness on IT risks and particularly phishing and social engineering Training, data collection, processing and storage rules Access controls : identification, authentication, authorization, accounting, alerts, reviews Encryption of information : laptops, mobiles, USB storage and sensitive information in the systems Physical security : Datacentre, data-rooms PCI DSS as a reference for PCI protection Suppliers, Data processors contracts, security requirements, audits Testing (ex. Phishing) Network security : firewall, Intrusion Detection/Prevention Systems, monitoring 10/13/2017 Welcome to ACE in EMEA 8

9 Lagos October, 2017 Typical Cyber risks profiles For different industries

10 IT Risks : retail Central systems : ERP system : procurement, inventory, product lifecycle, finance Warehouse Management System : tracking inventory level, stock locations Supply chain management : tracking materials, information and finance flows in order to reduce stocks Customer Relationships Management Revenue Management Systems Systems in the stores Retail server Cashiers POS Digital store : e-commerce website 10/13/2017 Welcome to ACE in EMEA 10

11 IT Risks : retail (2) Availability risks: Central systems Warehouse systems Interconnection between central systems, stores and warehouses Cashiers in the stores Retail server in the store E-commerce web server Privacy breach risks Loss of customers database Loss of Payment Card Information Points of attention Resiliency of central systems, e-commerce website, and networks Disaster Recovery Plan for both central systems and e-commerce Payment security in the web site and in the stores (POS and cashiers security) Data collection, storage, processing and removal Web-site security : patch management, penetration testing Stores security : own stores vs franchised

12 Lagos, October 2017 Retailers Business Exposures Supply chain, orders and stocks management : just-in-time, high volume, high value E-commerce versus Brick & mortar shops Customer s PII (Personally Identifiable Information) Electronic payments (web and stores / PoS) Warehouse automation/management systems Security Controls Disaster Recovery Plan Website security, penetration testing, anti-ddos Data protection policies PCI DSS compliance Data Breach Response and Crisis Management Stores dependency on IT systems

13 Lagos, October 2017 Financial institutions Business Exposures Financial transactions processing Internet Banking Portal Customer s PII Cyber crime Third parties providing essential services Security Controls Disaster Recovery Plan Website security, penetration testing, anti-ddos Data protection policies including OSP PCI DSS compliance Data Breach Response and Crisis Management Advanced network and information monitoring Threats intelligence

14 Lagos, October 2017 Hospitality Business Exposures Reservation system E-commerce Call centre Customer s PII Electronic payment (web, hotel, Restaurants, call) Hotels dependency on IT systems Security Controls Disaster Recovery Plan Website security, penetration testing, anti-ddos Data protection policies PCI DSS compliance Data Breach Response and Crisis Management

15 IT Risks : Travels (1) Central systems : Reservation systems CRM Partners communication Revenue management Call Centre Systems in the agencies E-commerce 10/13/2017 Lagos, October

16 IT Risks : Travels (2) Availability risks: Central systems : ERP, BI, CRM, Reservation system, revenue management Call Centre Interconnection between central systems, agencies and call centers E-commerce web server (if any) Data breach risk Loss of customers database Loss of Payment Card Information Points of attention Resiliency of central systems, e-commerce website and networks Disaster Recovery Plan for both central systems, e-commerce and call center Dependencies between central systems, agencies, call centers 10/13/2017 Lagos, October

17 Lagos, October 2017 Information Technology Business Exposures Software development Consulting services Hosting, Outsourcing or Cloud services PII processing on behalf their business clients Security Controls Development life-cycle security Standards, best practices, certifications SLA and risks classification Disaster Recovery Plan Data protection policies Data Breach Response and Crisis Management Clients information segregation Limitation of Responsibilities (penalties)

18 IT Risks : manufacturing (1) Central systems : ERP system : procurement, inventory, product lifecycle, finance Suppliers/Distributors systems integration : ERP, EDI Warehouse management system Supply chain management Manufacturing Execution Systems : production planning, product tracking, resource allocation, process management, maintenance management, quality management Factory systems Industrial Control Systems SCADA system e-commerce website 10/13/2017 Lagos, October

19 IT Risks : manufacturing (2) Availability risks: Central systems : ERP, BI, CRM, SCM, MES, WMS Factory systems : Industrial Control Systems (ICS) Warehouse systems Interconnection between central systems, factory systems and warehouses E-commerce web server (if any) Data breach risk Loss of customers database (in case of BtoC or BtoBtoC) Loss of Payment Card Information (in case of e-commerce) Points of attention Resiliency of central systems, e-commerce website and networks Disaster Recovery Plan for both central systems, e-commerce Dependencies between central systems, factories and warehouses ICS security : separation between back-office and production zones 10/13/2017 Lagos, October

20 Gilbert FLEPP Lagos October, 2017 Industrial Control Systems

21 Lagos October, 2017 Industrial Control Systems (ICS) - overview What does ICS means: A term used to encompass the many applications and uses of industrial and facility control and automation systems is a broad concept that encompasses all digital systems that directly interact with the Physical World Such systems are mainly composed of : Components that interact with the physical world : sensors that collect data (as temperature, pressure, humidity, speed ) and actuators that perform actions (on pumps, cylinders, valves, indicator lights ) Process Control components that manage the actuators with regards to information delivered by sensors and embedded software Application domains : Critical Infrastructure: oil and gas pipelines, wastewater collection systems, electrical power grids, railway transportation Process control: food, pharmaceutical, chemical, refinery Manufacturing: flexible fabrication, appliances, automotive, aircrafts Storage: silos, elevator, harbour, retail houses, deposits, luggage handling

22 Lagos October, 2017 Industrial Control Systems (ICS) - applications Automotive Flexible factory, robots do bulk work 90% of the functions of a car rely on software and 40% of the costs stem from the electronics Automatic cars can reduce accidents and traffic jams. Pharmaceutical industry: Inventory, Recipe management, Packaging, Sampling, Tracking & tracing, Comply with government rules Warehouses extreme dependency on the availability of the control system. The warehouse is connected to supply chain management, order fulfilment customer relationship commercial accounting

23 Lagos October, 2017 Industrial Control Systems (ICS) - applications Large building automation system: fire, security access, energy, lighting, air conditioning, Water treatment (fresh and waste water) : manage pumps, tanks, chemical composition, filters, movers, quality... Power Plant fuel supply, primary process control (steam, wind), personal, plant and neighbourhood safety, monitoring environmental impact, electricity generation (voltage/frequency), energy distribution (substation)

24 Gilbert FLEPP Lagos October, 2017 Loss Mitigation Services

25 Lagos, October 2017 What is Loss Mitigation Services (LMS)? Services designed to help policyholders understand and gauge various areas of cyber and privacy exposures that are relevant to their business Provided by a panel of independent cyber security and privacy experts INTERNAL USE ONLY. NOT FOR EXTERNAL DISTRIBUTION

26 Lagos, October 2017 What is the added value of LMS? The Client : Understands its cyber exposure, Reduces the likelihood of losses The Broker : Assists the client in risk management Cyber Insurer : Prevents losses and improves policyholder s retention

27 Lagos, October 2017 Loss Mitigation Services - examples Information Security risks assessment Users awareness Training Penetration testing Incident Response Plan development INTERNAL USE ONLY. NOT FOR EXTERNAL DISTRIBUTION

28 Chubb. Insured.